[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Feature Request and Security Bug
|
From: |
Stefan Esser |
|
Subject: |
Feature Request and Security Bug |
|
Date: |
Tue, 14 Jan 2003 18:44:08 +0100 |
|
User-agent: |
Mutt/1.4i |
Hi,
first of all we would like to see our patch applied. It adds the functionality
to disable Update-prog and Checkin-prog from the configuration. Both functions
make it absolutely impossible to work with multiple commiters on a CVS pserver.
I do not want to hear the old song: "pserver is insecure" There is f.e. nothing
insecure if you have a documentation repository. If someone is able to sniff a
password he should not be able to execute commands on the server. If he wants
to change the documentation then one can see this change his password and the
wrong commit is restored. With both commands enabled any writer can execute
arbitrary commands on the server.
My second wish is more important. There is a remotely exploitable bug in CVS
that allows anyone to execute arbitrary code. I want someone from the project
to contact me because of this bug. Derek R. Price was mailed about it over 10
days ago and he hasnt replied yet. Seems he is on vacation. I will only talk
about this bug in private GPG encrypted mail and only with a person that is
a main commiter. (so do not forget your keys)
Stefan Esser
cvs.diff
Description: Text document
pgp6Ro4RBHO8M.pgp
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Feature Request and Security Bug,
Stefan Esser <=